From: Nicolas Thill Date: Fri, 24 Apr 2009 02:29:34 +0000 (+0000) Subject: fix local privilege escalation in udev (even if we don't currently use udevd) X-Git-Tag: 8.09.1~98 X-Git-Url: http://git.lede-project.org./?a=commitdiff_plain;h=0ebd6da5d5af499ab6a3058b68a32299dff9984f;p=openwrt%2Fsvn-archive%2Fopenwrt.git fix local privilege escalation in udev (even if we don't currently use udevd) SVN-Revision: 15370 --- diff --git a/package/udev/Makefile b/package/udev/Makefile index c611f9cc4a..be25da0e65 100644 --- a/package/udev/Makefile +++ b/package/udev/Makefile @@ -1,5 +1,5 @@ # -# Copyright (C) 2006-2008 OpenWrt.org +# Copyright (C) 2006-2009 OpenWrt.org # # This is free software, licensed under the GNU General Public License v2. # See /LICENSE for more information. @@ -10,7 +10,7 @@ include $(TOPDIR)/rules.mk PKG_NAME:=udev PKG_VERSION:=106 -PKG_RELEASE:=1 +PKG_RELEASE:=1.1 PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.bz2 PKG_SOURCE_URL:=@KERNEL/linux/utils/kernel/hotplug/ diff --git a/package/udev/patches/901-cve-2009-1185.patch b/package/udev/patches/901-cve-2009-1185.patch new file mode 100644 index 0000000000..6e9919df6b --- /dev/null +++ b/package/udev/patches/901-cve-2009-1185.patch @@ -0,0 +1,40 @@ +http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1185 + +--- a/udevd.c ++++ b/udevd.c +@@ -734,16 +734,34 @@ static struct udevd_uevent_msg *get_netl + struct udevd_uevent_msg *msg; + int bufpos; + ssize_t size; ++ struct sockaddr_nl snl; ++ struct msghdr smsg; ++ struct iovec iov; + static char buffer[UEVENT_BUFFER_SIZE+512]; + char *pos; + +- size = recv(uevent_netlink_sock, &buffer, sizeof(buffer), 0); ++ iov.iov_base = buffer; ++ iov.iov_len = sizeof(buffer); ++ ++ memset(&smsg, 0x00, sizeof(struct msghdr)); ++ smsg.msg_name = &snl; ++ smsg.msg_namelen = sizeof(struct sockaddr_nl); ++ smsg.msg_iov = &iov; ++ smsg.msg_iovlen = 1; ++ ++ size = recvmsg(uevent_netlink_sock, &smsg, 0); + if (size < 0) { + if (errno != EINTR) + err("unable to receive kernel netlink message: %s", strerror(errno)); + return NULL; + } + ++ if ((snl.nl_groups != 1) || (snl.nl_pid != 0)) { ++ info("ignored netlink message from invalid group/sender %d/%d\n", ++ snl.nl_groups, snl.nl_pid); ++ return NULL; ++ } ++ + if ((size_t)size > sizeof(buffer)-1) + size = sizeof(buffer)-1; + buffer[size] = '\0';